I am having difficulty allowing VPN traffic to pass through my firewall.

I have tried various combination's with the below being my latest.

Code:

pass on $ext_if proto esp from any to any
pass on $ext_if proto udp from any to any port {isakmp, ipsec-nat-t}
pass on $int_if proto esp from any to any
pass on $int_if proto udp from any to any port {isakmp, ipsec-nat-t}

Basically all I am trying to do is allow any traffic that is connected to my VPN (not setup on PF machine) to pass through my firewall (PF).

Since I am not actually hosting the VPN on the OpenBSD box the traffic coming to it is not actually "VPN" but standard traffic at that point. I added a rule to permit the IP address block for the VPN users and traffic flowed.

I am curious if this is the best way to do this. IF someone where somehow able to "spoof" the source IP of the VPN traffic would they be permitted in then?